This project is submitted for

Description

Scientific calculators are the best -when we know how to use them-, but not all are the same. I've owned one for years, since I started college, and at the time I bought the one that fit my needs, the Casio fx-82ES. While going further with my career I started to use complex numbers (among other things), and it's a heavy math to do on a non-complex calculator, and the Casio fx-991es did had it.
Buy a new calculator? No f** way, it's a lot of money, and a new calculator for just a few more functions.
Luckily my good friend Google came up. My calculator could be transformed into a Casio fx-991es with just pressing some keys.. a lot of them.
However, the problem is that every time it's rebooted/turned off, it goes back to how it was. So every time I needed to use complex I would have to enter the combination.
Never Again!

Details

I already have it working on a breadboard:

I'm waiting for the boards to be released from customs :-/

The total code size is given at the end of the compilation thanks to the cmake-arduino tool, and it's size is ~886bytes. That was double checked with avr-size tool.

Here is an screenshot of the tool:

In the video publish above you can see the power consumption of the while system. About 2uA@3v, and near 1uA on stand by. (Look at the multimeter scale).

The source code, including a detailed explanation of how and why I did what I did is in the bitbucket repository.

Components

1×
Arduino Mini (3.3v @ 8MHz)
It's preferred an ATMega328p running at 3.3v@8MHz, because of the power consumption of the regulator and leds on the board

1×
Calculator Casio fx-82es
Must be available to open up and solder the lines to the outside

Build Instructions

The columns and rows names k* and ki* aren't just because, but Those are the names labeled in the calculator board, so I kept them to make things easier.

For each of them one must solder a cable, like the picture:

And then, after opening a hole on the calc case, pass the cables (flat cable was my choice) and solder them to a connector. Care must be taken with the names, or you'll have to redo all the config_key.sh file to match the code and the atmega board.

I guess we're kinda taking the guy's word for it that this is an optimal hack, and that within this button-mashing madness is not actually a much simpler secret backdoor key combo that was left by the programmer. Just throwing that idea out there, because like you my mind boggles at the amount of work to create this if it really is a stack-smashing exploit (which I agree it appears to be). Even if you had the frickin' source code for the cpu and had it hooked up to a debugger it wouldn't be a trivial exercise...

Hello! I started a project aimed to find bugs in the firmware of the fx-ES PLUS models. Would you like to contribute? The calculator model that you are using now is not the right one unfortunately, we look at the fx-(82/991)ES PLUS.

We are trying to find ways to execute arbitrary code on them, and we found many interesting things, for example that the CPU used is based on the nX-U8 architecture and Googling that doesn't yield anything else than datasheets (and our casiocalc.org thread :D). We already have a disassembler written and are currently finding ways actually make the CPU execute the keystrokes as opcodes. You could help with checking them on real hardware :D

That is marvelous and insane. It does occur to me that since this is very clearly a mask-rom CPU that's understandably being used in several products, that almost certainly there's a pin or two that's tied high or low to configure it. Rewiring that pin would be an awful lot easier. However, I see it's a chip-on-board, which may make that impossible. Anyway yeah, someone figuring out that buffer overflow is beyond crazy.